mikelindner.com

powering the Internet since 1995

| Photography | Computing | Cooking |

Using a Windows Virtual Machine in Linux to proxy corporate VPNs

April 18th, 2010

This is very handy for people that like to use Linux desktops, but are in a corporate environment with Windows-only VPN clients. It is perfectly secure, the VM can only talk to the Linux host – assuming the host has sane firewall rules of course.

Ingredients:

Laptop running Ubuntu 10.x

VirtualBox running WindowsXP

AnalogX Proxy

Corporate VPN Client

Bridging tools

SSH ProxyConnect utility.

Firefox with FoxyProxy installed.

Method:

1. Install VirtualBox and WindowsXP

Firstly install Sunicle Virtualbox, I use Virtualbox 4.0 – check out their website for that.  Put Windows XP on it and of course anti-virus.  I like Avast, because it’s free and solid.  You can use whatever AV your company puts on you however, and this is a GOOD idea because it will make it more likely your strange connection techniques will be tolerated by IT 🙂

This VM needs to be networked with the type Bridged

Next install AnalogX Proxy – this is such a handy tool.  Good fun googling “proxy” these days, it’s all about anonymisers and getting past school firewalls.  We are not doing anything like that (dodgy) here, this proxy is designed to share internet connections amongst many computers, from the days before everyone had a router at home.  Here we are using it to share the VPN enabled connection from the VM back to the host.

Install your company’s VPN client into this winXP VM also.  Use Putty and IE to make sure you can connect into the corporate network, as you would normally do in Windows or at work.  REMEMBER we are only accessing resources we have access to, and shouldn’t be breaking any policies or laws.  One big NOTE however is that if your company has strict rules on what it’s SOE (standard operating envirionment – a special build of Windows) you’ll have to make sure you a) comply with installing all needed software b) try to get the SOE installed in the VM.  I would suggest finding a company that if not supports, at least allows Linux.  Or you might be stuck with Windows on your laptop like all the rest 🙁

Depending how much fun you had getting IT to approve this method the following section will seem hard (or easier)

This method refers to Ubuntu, coz I prefer it as a desktop (I’ve also loved RH/FC and Suse, but as a desktop I think Ubuntu has it these days)  You should be able to find the equivalent packages for your flavour.

2. Install Bridging Utilities

Install the utility to allow brctl, in my case it was uml-utilities.  Also you will need connect-proxy.  It took me a bit of googling to find the package name for my distro, in my case connect-proxy.  This is the command the ProxyCommand directive we’ll use later executes.  ProxyCommand just runs “something” in our case that something tells ssh to go though the VM.  the virtualbox guest utils and bridge-utils are also used here.

sudo apt-get install uml-utilities connect-proxy bridge-utils

 

If those were the right packages, lucky you!  If not a bit of looking around will find them.  If you are already lost, perhaps you should stick to your corporate SOE – note the emphasis here on not getting yourself into trouble!

3. Configure SSH

Now modify your ~/.ssh/config file and add some lines that describe your favorite server like so:

Host servername
HostName servername.internal.example.com
User myworkuid
ForwardAgent yes
ProxyCommand connect -R localhost -S 192.168.25.137 %h %p
Host *.internal.example.com
User myworkuid
ForwardAgent yes
ProxyCommand connect -R localhost -S 192.168.25.137 %h %p

The ProxyCommand directive is the real magic here, setting your work username here just makes life easier (you don’t need the myworkuid@ before the hostname)

The IP is the internal IP of your VM – that is run cmd -> ipconfig inside windows to find this one.  It might change and this will be a pain, but you get that when you work for a place with no Linux VPN clients.

Also the * as the hostname works too, but this is more tedious because you’ll have to type in the FQDN every time, better to set your fave hosts up as single name entities.

4. Create the Bridge

OK so we’re having fun now right!  One last thing to do is create the bridge – use these commands AS ROOT or add sudo as you please.

Try these commands one line at a time for testing then put them in a script that you must run as root.

brctl addbr br0
ifconfig eth0 0.0.0.0
brctl addif br0 eth0
dhclient br0
VBoxTunctl -b -u mylocaluid # this is the userid you log onto your ubuntu laptop with
ifconfig tap0 up
brctl addif br0 tap0
iptables -I INPUT -i br0 -j ACCEPT

I won’t go into much detail about what is going on here, other people already have.
Now if you’re a good howto follower and I’ve written this well (yeah, it’s crap) then you’re ready to ssh into your favorite work server.

To bring it all down simply reverse the process:

## Bring it Down
ifconfig tap0 down
VBoxTunctl -d tap0
ifconfig br0 down
brctl delbr br0
dhclient eth0

Good Luck!


Please feel free to comment on how this article went for you.  I’ll pass the comments on to the various people who have added to this technique over the years.

Next step is getting it to work with Firefox.  I use FoxyProxy – I’ll leave the rest to your skills.

 

This is one of the most handy tools I have in my kit, I hope you find it as helpful, and neat, as I do.